Data from a class's property is leaking out when serialized #154
Description
I'm using the latest version (4.3.0) under PHP 8.4 and noticed some problems with my unserialized data.
Example code
<?php declare(strict_types=1);
use function Opis\Closure\{serialize as opis_serialize, unserialize as opis_unserialize};
require_once(__DIR__.'/../vendor/autoload.php');
$data = [
'item1' => new example(),
'item2' => [ ],
'item3' => [ 'my data', ],
];
echo "# Expected:\n\n";
var_dump(unserialize(serialize($data)));
echo "\n\n# Actual:\n";
$opis_serialized = opis_serialize($data);
echo $opis_serialized . "\n\n";
var_dump(opis_unserialize($opis_serialized));
class example {
public array $items = [
[ 'fn' => 'John', 'ln' => 'Doe' ],
];
}
Expected output
This is the expected output using PHP's native serialize and unserialize functions:
array(3) {
'item1' =>
class example#4 (1) {
public array $items =>
array(1) {
[0] =>
array(2) {
'fn' =>
string(4) "John"
'ln' =>
string(3) "Doe"
}
}
}
'item2' =>
array(0) {
}
'item3' =>
array(1) {
[0] =>
string(7) "my data"
}
}
Actual output
This is using opis/closure's functions.
item3 should contain the string "my data", but instead contains Test object's $items array.
array(3) {
'item1' =>
class example#21 (1) {
public array $items =>
array(1) {
[0] =>
array(2) {
'fn' =>
string(4) "John"
'ln' =>
string(3) "Doe"
}
}
}
'item2' =>
array(0) {
}
'item3' =>
array(2) {
'fn' =>
string(4) "John"
'ln' =>
string(3) "Doe"
}
}
Serialized string
Here's the output from opis/closure's serialize():
a:3:{s:5:"item1";O:16:"Opis\Closure\Box":2:{i:0;i:3;i:1;a:2:{i:0;s:7:"example";i:1;a:2:{s:5:"items";a:1:{i:0;a:2:{s:2:"fn";s:4:"John";s:2:"ln";s:3:"Doe";}}s:3:"\0?\0";N;}}}s:5:"item2";a:0:{}s:5:"item3";R:8;}
(I had to substitute \0 for literal null characters in s:3:"\0?\0" to paste it here. I'm not sure if that's normal)
item3 seems to contain a reference to other serialized data instead of its own ("item3";R:8;).
item2 in $data is somehow connected, because removing it or adding an item to it fixes the output.